[00:05.290 --> 00:12.530]  Hello and welcome to this talk on demonstrating ILS and TCAS spoofing attacks.
[00:12.830 --> 00:18.470]  My name is Alex, I'm an aerospace engineer, pilot and hacker at Pentest Partners in the UK
[00:19.030 --> 00:24.830]  and I lead up our aerospace work and research program. I've had the honor of working in all
[00:24.830 --> 00:30.810]  sorts of environments at PCP from government networks and consumer IoT through to planes,
[00:30.810 --> 00:37.290]  trains and automobiles. This is me on the left there flying. What I hope you might notice is
[00:37.290 --> 00:43.010]  that it's a pretty perfect ILS approach for later. So what we're going to be showing
[00:43.850 --> 00:47.810]  in this talk is to give some practical demonstrations of two kinds of radio
[00:47.810 --> 00:52.450]  frequency spoofing attack against two different types of cockpit instruments
[00:52.450 --> 00:56.690]  that are found in virtually every single commercial aircraft flying today.
[00:57.690 --> 01:02.550]  Harshad Shatia is giving a separate companion talk right after this one in the schedule
[01:03.230 --> 01:07.330]  and that goes into a lot more depth on the physics and practicalities involved
[01:07.330 --> 01:12.730]  in generating these types of spoofing. So you should definitely check out that too.
[01:13.950 --> 01:18.610]  Unfortunately though we're not going to be showing this against a real airframe as that would be
[01:18.610 --> 01:26.170]  super illegal. What we do have though is our Airbus A320 simulator at Pentest Partners and that does
[01:26.250 --> 01:31.730]  a pretty good job of being able to simulate the aircraft's flight characteristics and its avionics.
[01:31.750 --> 01:37.630]  It's the same flying model that's used in professional simulators but it's obviously
[01:37.630 --> 01:42.950]  not certified to the same standard. So we can emulate and test things against most major
[01:42.950 --> 01:50.810]  systems including ILS and TCAS. So TCAS is the traffic collision avoidance system and does pretty
[01:50.810 --> 01:56.430]  much what it says. It provides both audio and visual cues to a pilot about other aircraft
[01:56.430 --> 02:05.030]  or traffic that come within two protective bubbles the TA and RA regions. Traffic advisories
[02:05.030 --> 02:11.170]  are labelled orange and are aircraft that don't pose an immediate threat but might then become
[02:11.490 --> 02:17.930]  a resolution advisory. This means the pilot needs to take immediate action to avoid that conflict.
[02:17.930 --> 02:25.230]  The TCAS system will give these RAs in the form of climb or descent but never return. It's vertical
[02:25.230 --> 02:32.630]  movement only. Aircraft equipped with TCAS transponders and that's most passenger aircraft
[02:33.110 --> 02:39.330]  but not general aviation, you know, small things with propellers and will emit interrogation signals
[02:39.330 --> 02:45.690]  and listen for replies. And the transponders then use this time of flight to compute distance between
[02:45.690 --> 02:53.050]  aircraft many times a second. As not all aircraft are equipped with TCAS, a hybrid mode can use
[02:53.050 --> 02:59.150]  inputs from ADS-B and you might be familiar with that from services such as Flightradar24
[02:59.830 --> 03:05.070]  and it uses this to add these other aircraft into the picture as well.
[03:05.490 --> 03:11.330]  Resolution advisories in theory must be obeyed over any air traffic control instructions
[03:12.070 --> 03:19.150]  and not doing so was the cause of the sad 2002 Uberlingan incident between a TU-154
[03:19.150 --> 03:27.350]  and a DHL cargo flight. In busy airspace and Los Angeles is often cited as one such area,
[03:27.810 --> 03:33.810]  traffic alerts can become almost constant to the point that it can become a significant pilot
[03:33.810 --> 03:39.910]  workload and we've heard anecdotally that TCAS is sometimes turned off in such situations.
[03:41.910 --> 03:48.290]  In our EVA simulator with the autopilot engaged, the aircraft will actually fly resolution
[03:48.290 --> 03:54.470]  advisories automatically, moving away from a preset altitude and then returning to that
[03:54.470 --> 04:00.370]  after the conflict has passed. Now this is an aircraft and airline option and it's not always
[04:00.370 --> 04:06.350]  enabled however. So in the demonstration that follows we have the aircraft flying straight and
[04:06.350 --> 04:12.770]  level with a wall of spoofed aircraft coming directly towards us. The TCAS system will issue
[04:12.770 --> 04:19.070]  TAs then RAs and then take control to move us out of conflict if we do nothing.
[04:22.640 --> 04:28.980]  So we are just over 5,000 feet and our spoofed aircraft are introduced ahead of us.
[04:29.020 --> 04:35.220]  They turn from orange to red quite quickly on the right hand navigation display and the vertical
[04:35.220 --> 04:42.900]  speed strip on the left hand display now shows a red unsafe and a green safe band at the same time
[04:42.900 --> 04:49.200]  calling out to descend. Ideally the pilot would now pitch down to obtain that safe vertical speed
[04:49.200 --> 04:57.480]  of about 2,000 feet per minute. Choosing to ignore this, the aircraft will automatically take control
[04:57.480 --> 05:03.540]  and put the aircraft into a safe descent allowing our intruder aircraft to pass above us.
[05:33.750 --> 05:37.970]  Once we're clear of any conflict the aircraft will pitch back up,
[05:37.970 --> 05:46.440]  increase thrust and return us back to 5,000 feet. So our next system is the instrument landing system
[05:46.440 --> 05:50.940]  which provides lateral and vertical guidance to a pilot when approaching a runway.
[05:51.380 --> 05:55.880]  This is typically most useful in poor weather conditions but is often used even in clear and
[05:55.880 --> 06:03.580]  fine weather. So for a specific runway a VHF ILS frequency is given which includes both a
[06:03.580 --> 06:11.040]  glideslope, the vertical portion, and a localizer beam, the lateral. Each beam has two lobes at
[06:11.040 --> 06:16.520]  different frequencies and the receiver works out the signal strength of each and when each is the
[06:16.520 --> 06:22.080]  same that means you're in the center. It's a pretty simple and basic technology that's been around
[06:22.080 --> 06:28.660]  quite a long time. The pilot then centers some magenta bars on a display instrument or more
[06:28.660 --> 06:33.440]  likely the autopilot then follows them automatically and that will get you to the
[06:33.440 --> 06:40.360]  touchdown point of the runway. So our situation in the simulator is that we have selected and tuned
[06:40.360 --> 06:47.860]  to the ILS runway 28 right here at San Francisco and that's the red one marked here. We will
[06:47.860 --> 06:54.080]  initially be flying in cloud so we can't see the airport runway lights or ground but unknown to us
[06:54.080 --> 07:00.140]  the localizer signal is being spoofed from a location off to the left of our aircraft and what
[07:00.140 --> 07:05.620]  will happen is that we will pop out from the cloud at quite a low level and find ourselves nowhere
[07:05.620 --> 07:15.870]  near where we expect it to be. So the aircraft is established on the ILS for runway 28 right as we
[07:15.870 --> 07:22.390]  can see at the top of the right hand navigation display. The magenta pips on the left hand primary
[07:22.390 --> 07:28.010]  flight display are both centered horizontally and vertically so we believe ourselves to be
[07:28.010 --> 07:33.470]  flying down the correct path to the runway. In the bottom right we see the outside world
[07:33.470 --> 07:42.390]  as such it is but we're in cloud so of course it's just grey. We have selected flap and gear down at
[07:42.390 --> 07:59.960]  this point as well. At 400 feet the aircraft believes itself to be in landing mode and ground
[07:59.960 --> 08:09.010]  proximity and traffic alerts will be inhibited beyond this point. At 300 feet we break out of
[08:09.010 --> 08:14.030]  the cloud and find ourselves well left of the runway even though our instruments are still
[08:14.030 --> 08:20.570]  indicating we're on the center line. Now a pilot would go around and retry the landing if faced
[08:20.570 --> 08:33.940]  with this situation if they had sufficient visibility to make that decision. So I will
[08:33.940 --> 08:38.620]  leave Harshad to go into more of the detail in his talk but I personally feel that ILS spoofing
[08:38.620 --> 08:44.360]  is unlikely given you would need a pretty powerful antenna in very close proximity to the airport.
[08:45.180 --> 08:50.800]  This is likely to get you spotted by the police pretty quickly I would suggest. It's also fairly
[08:50.800 --> 08:56.820]  likely that the pilot would see intermittent nav error flags in their displays telling them the ILS
[08:56.820 --> 09:04.640]  system was unreliable. LTCAS, given it uses time of flight, would be more difficult to spoof unless
[09:04.640 --> 09:10.980]  you had some kind of drone floating around in the airspace. But ADS-B is relatively straightforward
[09:10.980 --> 09:15.880]  to generate from the ground and that might be enough of a distraction to lead pilots to switching
[09:15.880 --> 09:23.100]  off the system altogether. Please do watch Harshad's talk which goes into a much deeper dive
[09:23.100 --> 09:29.240]  on the theory and practicalities. And lastly, a special thank you to my colleague Phil Eberle
[09:29.240 --> 09:34.120]  who managed to get the simulated video at really short notice. So thanks Phil.
[09:34.640 --> 09:38.940]  Thank you for listening and I really look forward to hearing your comments and thoughts in the chat.
